Backing up DC for a catastrophic case
I've been setting up off-site backups for the most critical elements of the company I work at. One of these critical elements is the DC.
Now, the company is fairly small, so has only a single forest, and two DC servers on separate physical machines (one's virtualized, however). That said, a critical fault in the server room could destroy both of these machines.
So, I'm trying to create a DC backup for a critical-case scenario. I keep reading online that backing up the System State is enough, but I have a feeling this is only valid if you want to be able to restore the DC on the same server where the backup was taken. I've tried taking a System State backup and then restoring it on an isolated VM (same server, same updates), and this... didn't go so well; the restore went fine, but then I couldn't contact the local DC, even if I ensured the VM had the same IP as before (still isolated, of course). None of the DC-related administrative consoles worked either. There was even a warning during restoration that restoring a System State from another machine is not suggested.
Thus, I feel this is the wrong approach. So... what IS the right approach, if I want to backup our DC off-site, to cover a critical failure? A complete backup of the C: drive + System State or I could just backup the whole drive for that virtualized DC, but I'm trying to make the backup as small as possible...
PS. I'm using the Azure Backup application, but I don't think it's that relevant. All of our DCs are currently running Windows Server 2016.
backup domain-controller
add a comment |
I've been setting up off-site backups for the most critical elements of the company I work at. One of these critical elements is the DC.
Now, the company is fairly small, so has only a single forest, and two DC servers on separate physical machines (one's virtualized, however). That said, a critical fault in the server room could destroy both of these machines.
So, I'm trying to create a DC backup for a critical-case scenario. I keep reading online that backing up the System State is enough, but I have a feeling this is only valid if you want to be able to restore the DC on the same server where the backup was taken. I've tried taking a System State backup and then restoring it on an isolated VM (same server, same updates), and this... didn't go so well; the restore went fine, but then I couldn't contact the local DC, even if I ensured the VM had the same IP as before (still isolated, of course). None of the DC-related administrative consoles worked either. There was even a warning during restoration that restoring a System State from another machine is not suggested.
Thus, I feel this is the wrong approach. So... what IS the right approach, if I want to backup our DC off-site, to cover a critical failure? A complete backup of the C: drive + System State or I could just backup the whole drive for that virtualized DC, but I'm trying to make the backup as small as possible...
PS. I'm using the Azure Backup application, but I don't think it's that relevant. All of our DCs are currently running Windows Server 2016.
backup domain-controller
3
+1 for actually testing critical recovery ;). I have not been using Azure Backup yet, but System State should be enough (no matter which backup solution you use). You did read the Technet article, I assume? Esp. the part for a different server.
– Lenniey
3 hours ago
@Lenniey Yes, I read that article. But, upon reflection, I may have missed a critical part of it (specifically the bit to follow more steps post AD recovery described here. I'm testing this now.
– Shaamaan
3 hours ago
add a comment |
I've been setting up off-site backups for the most critical elements of the company I work at. One of these critical elements is the DC.
Now, the company is fairly small, so has only a single forest, and two DC servers on separate physical machines (one's virtualized, however). That said, a critical fault in the server room could destroy both of these machines.
So, I'm trying to create a DC backup for a critical-case scenario. I keep reading online that backing up the System State is enough, but I have a feeling this is only valid if you want to be able to restore the DC on the same server where the backup was taken. I've tried taking a System State backup and then restoring it on an isolated VM (same server, same updates), and this... didn't go so well; the restore went fine, but then I couldn't contact the local DC, even if I ensured the VM had the same IP as before (still isolated, of course). None of the DC-related administrative consoles worked either. There was even a warning during restoration that restoring a System State from another machine is not suggested.
Thus, I feel this is the wrong approach. So... what IS the right approach, if I want to backup our DC off-site, to cover a critical failure? A complete backup of the C: drive + System State or I could just backup the whole drive for that virtualized DC, but I'm trying to make the backup as small as possible...
PS. I'm using the Azure Backup application, but I don't think it's that relevant. All of our DCs are currently running Windows Server 2016.
backup domain-controller
I've been setting up off-site backups for the most critical elements of the company I work at. One of these critical elements is the DC.
Now, the company is fairly small, so has only a single forest, and two DC servers on separate physical machines (one's virtualized, however). That said, a critical fault in the server room could destroy both of these machines.
So, I'm trying to create a DC backup for a critical-case scenario. I keep reading online that backing up the System State is enough, but I have a feeling this is only valid if you want to be able to restore the DC on the same server where the backup was taken. I've tried taking a System State backup and then restoring it on an isolated VM (same server, same updates), and this... didn't go so well; the restore went fine, but then I couldn't contact the local DC, even if I ensured the VM had the same IP as before (still isolated, of course). None of the DC-related administrative consoles worked either. There was even a warning during restoration that restoring a System State from another machine is not suggested.
Thus, I feel this is the wrong approach. So... what IS the right approach, if I want to backup our DC off-site, to cover a critical failure? A complete backup of the C: drive + System State or I could just backup the whole drive for that virtualized DC, but I'm trying to make the backup as small as possible...
PS. I'm using the Azure Backup application, but I don't think it's that relevant. All of our DCs are currently running Windows Server 2016.
backup domain-controller
backup domain-controller
edited 1 hour ago
Shaamaan
asked 4 hours ago
ShaamaanShaamaan
1681112
1681112
3
+1 for actually testing critical recovery ;). I have not been using Azure Backup yet, but System State should be enough (no matter which backup solution you use). You did read the Technet article, I assume? Esp. the part for a different server.
– Lenniey
3 hours ago
@Lenniey Yes, I read that article. But, upon reflection, I may have missed a critical part of it (specifically the bit to follow more steps post AD recovery described here. I'm testing this now.
– Shaamaan
3 hours ago
add a comment |
3
+1 for actually testing critical recovery ;). I have not been using Azure Backup yet, but System State should be enough (no matter which backup solution you use). You did read the Technet article, I assume? Esp. the part for a different server.
– Lenniey
3 hours ago
@Lenniey Yes, I read that article. But, upon reflection, I may have missed a critical part of it (specifically the bit to follow more steps post AD recovery described here. I'm testing this now.
– Shaamaan
3 hours ago
3
3
+1 for actually testing critical recovery ;). I have not been using Azure Backup yet, but System State should be enough (no matter which backup solution you use). You did read the Technet article, I assume? Esp. the part for a different server.
– Lenniey
3 hours ago
+1 for actually testing critical recovery ;). I have not been using Azure Backup yet, but System State should be enough (no matter which backup solution you use). You did read the Technet article, I assume? Esp. the part for a different server.
– Lenniey
3 hours ago
@Lenniey Yes, I read that article. But, upon reflection, I may have missed a critical part of it (specifically the bit to follow more steps post AD recovery described here. I'm testing this now.
– Shaamaan
3 hours ago
@Lenniey Yes, I read that article. But, upon reflection, I may have missed a critical part of it (specifically the bit to follow more steps post AD recovery described here. I'm testing this now.
– Shaamaan
3 hours ago
add a comment |
2 Answers
2
active
oldest
votes
I'm trying to make the backup as small as possible...
This is a common approach and it's the wrong approach.
You're protecting one of the company's most important information technology assets. Treat it as such. Nothing less than a full backup of the DC is acceptable. You can use the built in Windows Server Backup to make a full, bare metal recovery capable backup of the DC.
DC's are typically small. You could probably fit the entirety of a full backup of the DC on a $20.00 USB drive. Don't skimp.
I get it, backup software and storage can be costly, especially over time. I hear no end of IT admins talking about ways to reduce those costs. Don't trade your ability to recover anything and/or everything simply to reduce costs. You need to determine how much protection (in the form of backups) you need to have and how to balance that with what you have available in your IT budget. Backups are like insurance, how much insurance do you want to have and how much are you willing to pay for it? I don't want to be the person who has to explain to the CEO that we can't recover a critical piece of IT infrastructure because we were trying to save a few dollars. My approach to backups is that it's better to have it and not need it then to need it and not have it.
From an operational and technical perspective, I'd much rather restore a full BMR backup of a DC then to try and restore the System State of the DC to a new machine.
add a comment |
A system state restore could work, but the only method supported by Microsoft is a full system image recovery. This includes system state.
A complete forest recovery is complex, so you need to review the following document and create your own document with the required steps:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949678%2fbacking-up-dc-for-a-catastrophic-case%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm trying to make the backup as small as possible...
This is a common approach and it's the wrong approach.
You're protecting one of the company's most important information technology assets. Treat it as such. Nothing less than a full backup of the DC is acceptable. You can use the built in Windows Server Backup to make a full, bare metal recovery capable backup of the DC.
DC's are typically small. You could probably fit the entirety of a full backup of the DC on a $20.00 USB drive. Don't skimp.
I get it, backup software and storage can be costly, especially over time. I hear no end of IT admins talking about ways to reduce those costs. Don't trade your ability to recover anything and/or everything simply to reduce costs. You need to determine how much protection (in the form of backups) you need to have and how to balance that with what you have available in your IT budget. Backups are like insurance, how much insurance do you want to have and how much are you willing to pay for it? I don't want to be the person who has to explain to the CEO that we can't recover a critical piece of IT infrastructure because we were trying to save a few dollars. My approach to backups is that it's better to have it and not need it then to need it and not have it.
From an operational and technical perspective, I'd much rather restore a full BMR backup of a DC then to try and restore the System State of the DC to a new machine.
add a comment |
I'm trying to make the backup as small as possible...
This is a common approach and it's the wrong approach.
You're protecting one of the company's most important information technology assets. Treat it as such. Nothing less than a full backup of the DC is acceptable. You can use the built in Windows Server Backup to make a full, bare metal recovery capable backup of the DC.
DC's are typically small. You could probably fit the entirety of a full backup of the DC on a $20.00 USB drive. Don't skimp.
I get it, backup software and storage can be costly, especially over time. I hear no end of IT admins talking about ways to reduce those costs. Don't trade your ability to recover anything and/or everything simply to reduce costs. You need to determine how much protection (in the form of backups) you need to have and how to balance that with what you have available in your IT budget. Backups are like insurance, how much insurance do you want to have and how much are you willing to pay for it? I don't want to be the person who has to explain to the CEO that we can't recover a critical piece of IT infrastructure because we were trying to save a few dollars. My approach to backups is that it's better to have it and not need it then to need it and not have it.
From an operational and technical perspective, I'd much rather restore a full BMR backup of a DC then to try and restore the System State of the DC to a new machine.
add a comment |
I'm trying to make the backup as small as possible...
This is a common approach and it's the wrong approach.
You're protecting one of the company's most important information technology assets. Treat it as such. Nothing less than a full backup of the DC is acceptable. You can use the built in Windows Server Backup to make a full, bare metal recovery capable backup of the DC.
DC's are typically small. You could probably fit the entirety of a full backup of the DC on a $20.00 USB drive. Don't skimp.
I get it, backup software and storage can be costly, especially over time. I hear no end of IT admins talking about ways to reduce those costs. Don't trade your ability to recover anything and/or everything simply to reduce costs. You need to determine how much protection (in the form of backups) you need to have and how to balance that with what you have available in your IT budget. Backups are like insurance, how much insurance do you want to have and how much are you willing to pay for it? I don't want to be the person who has to explain to the CEO that we can't recover a critical piece of IT infrastructure because we were trying to save a few dollars. My approach to backups is that it's better to have it and not need it then to need it and not have it.
From an operational and technical perspective, I'd much rather restore a full BMR backup of a DC then to try and restore the System State of the DC to a new machine.
I'm trying to make the backup as small as possible...
This is a common approach and it's the wrong approach.
You're protecting one of the company's most important information technology assets. Treat it as such. Nothing less than a full backup of the DC is acceptable. You can use the built in Windows Server Backup to make a full, bare metal recovery capable backup of the DC.
DC's are typically small. You could probably fit the entirety of a full backup of the DC on a $20.00 USB drive. Don't skimp.
I get it, backup software and storage can be costly, especially over time. I hear no end of IT admins talking about ways to reduce those costs. Don't trade your ability to recover anything and/or everything simply to reduce costs. You need to determine how much protection (in the form of backups) you need to have and how to balance that with what you have available in your IT budget. Backups are like insurance, how much insurance do you want to have and how much are you willing to pay for it? I don't want to be the person who has to explain to the CEO that we can't recover a critical piece of IT infrastructure because we were trying to save a few dollars. My approach to backups is that it's better to have it and not need it then to need it and not have it.
From an operational and technical perspective, I'd much rather restore a full BMR backup of a DC then to try and restore the System State of the DC to a new machine.
edited 36 mins ago
answered 48 mins ago
joeqwertyjoeqwerty
95.5k463149
95.5k463149
add a comment |
add a comment |
A system state restore could work, but the only method supported by Microsoft is a full system image recovery. This includes system state.
A complete forest recovery is complex, so you need to review the following document and create your own document with the required steps:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide
add a comment |
A system state restore could work, but the only method supported by Microsoft is a full system image recovery. This includes system state.
A complete forest recovery is complex, so you need to review the following document and create your own document with the required steps:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide
add a comment |
A system state restore could work, but the only method supported by Microsoft is a full system image recovery. This includes system state.
A complete forest recovery is complex, so you need to review the following document and create your own document with the required steps:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide
A system state restore could work, but the only method supported by Microsoft is a full system image recovery. This includes system state.
A complete forest recovery is complex, so you need to review the following document and create your own document with the required steps:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide
answered 58 mins ago
Greg AskewGreg Askew
28.4k33668
28.4k33668
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949678%2fbacking-up-dc-for-a-catastrophic-case%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
+1 for actually testing critical recovery ;). I have not been using Azure Backup yet, but System State should be enough (no matter which backup solution you use). You did read the Technet article, I assume? Esp. the part for a different server.
– Lenniey
3 hours ago
@Lenniey Yes, I read that article. But, upon reflection, I may have missed a critical part of it (specifically the bit to follow more steps post AD recovery described here. I'm testing this now.
– Shaamaan
3 hours ago